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1. INTRODUCTION 


This report is the second Semi-Annual Status Report on 
the research pro^;ect "Models and Techniques for Evaluating the 
Effectiveness of Aircraft Computing Systems" being conducted for 
the NASA Langley Research Center under NASA Grant NSG 1306. The 
report concerns work accomplished during the period from 1 Novem- 
ber 1976 to 30 April 1977, hereafter referred to as the 
"reporting period." 

The purpose of this research project is to develop models, 
measures and techniques for evaluating the effectiveness of 
aircraft computing systems. By "effectiveness" in this context 
we mean the extent to which the user, i.e., a commercial air 
carrier, may expect to benefit from the computational tasks 
accomplished by a computing system in the environment of-^an. 
advanced commercial aircraft. Thus the concept of effectiveness 
involves aspects of system performance, reliability and worth 
(value, benefit) which must be appropriately integrated in the 
process of evaluating system effectiveness. More specifically, 
the primary objectives of this project are: 

1) The development of system models that can provide 

a basis for the formulation and evaluation of aircraft 
computer system effectiveness, 

2) The formulation of quantitative measures of system 
effectiveness, and 

3) The development of analytic and simulation techniques 
for evaluating the effectiveness of a proposed or 
existing aircraft computer. 
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Work proposed for the first year of this project was to he 
concerned primarily with objectives 1) and 2). During the 
previous reporting period (1 May 1976 to 31 October 1976) , the 
main thrust of our work was in line with the first-ybbjective 
(see the first Semi-Annual Status Report [1]). During the 
current reporting period, our effort has been aimed at both 
model development (objective 1)) and the formulation of effective- 
ness measures (objective 2)). More specifically, our work has 
concerned: 

i) More detailed development of the model hierarchy at 

mission, functional task, and computational task levels, 
with emphasis placed on the modeling of an air transport 
mission. 

ii) Investigation of an appropriate class of stochastic 
models that can serve as bottom level models in the 
hierarchical modeling scheme. The scope of a model at 
this level is some specified aircraft epmputer (the 
system to be evaluated) and the level of abstraction 
is the "operational state" of the computer’s hardware 
and software.. 

iii) Definition and formulation of a unified measure of 

effectiveness called "performability" and, in particular, 
the "capability" aspect ^ performability which expresses 
top model behavior (levels of performance) as a function 
of base model behavior. 
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We believe that the following report attests to a substantial 
amount of progress in each of these areas. Moreover,, we feel that 
the progress to.:^a-te is compatible with what we had anticipated 
when writing the proposal for the second year of the project [2]. 

Section 2 of the report describes the manpower effort proposed 
for the past year, the personnel involved in conducting the 
investigation, and their levels of effort during the reporting 
period. Section 3, the body of the report, describes the technical 
status of the research performed during the reporting period. 
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2. PERSONNEL 

At the initiation of the project, it was estimated that 

the following effort would be required during the first year. 

Principal Investigator 

100%, two months, summer 

25%, nine months, academic year 

Graduate Student Research Assistants 


The equivalent of: 

3 at 100%, three months, summer 
3 at 25%, eight months, academic year 

During the reporting period from 1 November 1976 to 30 April 
1977, research personnel and their levels of effort have been: 
Principal Investigator 


John F. Meyer 

25%, November 1976-March 1977 
50%, April 1977 

Graduate Student Research Assistants 


Robert A. Ballance 

25%, January 1977 - April 1977 

David G. Furchtgott- 

25%, November 1976 - April 1977 


Liang T. Wu 

25%, November 1976 - April 1977 
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3. TECHNICAL STATUS 

As sta'ted in the introduction, our research during the reporting 
period has progressed in three principal areas. 

The first area has been a more detailed development of the 
higher level models in the hierarchy, i.e., the models at the mission, 
functional task, and computational task levels. In particular, our 
efforts here have focused on i) establishing a general methodology 
for formulating higher level models and ii) applying this methodology 
to the formulation of a prototype model hierarchy for a specific 
type of mis'Bion, i.e., an air transport mis.sion. 

The second area has been the investigation of an appropriate 
class of stochastic models that can serve as bottom level models in 
a model hierarchy. A model in this class is a model of some 
specified aircraft computer and the level of abstraction is the 
"operational state" of the computer's hardware and software. The 
goal here is not to develop a bottom level model for a specific 
aircraft computer architecture (e.g., SIFT [3] or~OSIRlS [41) but, 
instead, to determine a type of stochastic model which is i) capabie 
of representing a-^variety of fault- tolerant computer architectures 
and ii) compatible "with a hierarchical modeling scheme. 

The third area of effort has been the definition and 
formulation of a unified measure of effectiveness called "perform- 
ability" which comprises three principal measures: "availability," 

"dependability" and "capability." The first two measures quantify 
the behavior of ‘the bottom model of the hierarchy and are the usual 
objects of study in classical structure-based reliability analysis. 
Accordingly, the bulk of our effort here has concerned the third 

"capability," which expresses top mod^l behavior (levels of 


measure. 
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total system performance) as a function of the "basic variables" 
of the bottom and intermediate level models. In particular, we 
have established^al class of capability measures referred to as 
"capability functions” and have developed a general concept of 
"functional dependence" (called "R-dependence") which is ' applicable 
to capability functions. 

The status of our research in each of these areas is described 
in the subsections that follow. 
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3. 1 Higher- Level Models 

3.1.1 A Model Hierarchy 

During the reporting period, we have continued the development 
of the system models described in the first ; Semi-Annual Status Report 
[1] . As discussed in [1] , we seek a model of the total system 
with a behavior relating directly to the user's requirements 
and a structure accurately describing the probabilistic nature 
of the system's components. This view requires a high, user- 
oriented level with scope comprising the total system (i.e., the g 
air carrie-jLj as well as a low, structure -or-ien ted bottom level' ’ 
comprising the object system Ci-e*j the computing system and closely 
related .peripheral equipment).. Also, in order to relate -the .... 
performance of the computer ^hardware (bottom level) to the 
accomplishment of user-oriented missions (top level), we have 
concluded that at leas.t two intermediate levels are necessary. 

These are the aircraft functional task level (the higher of the 
two intermediate levels) and the computational task level (the 
lower of the two levels) . 

Because the bottom level' concerns the obj ecf system, 
we have found that information from non-obj.ect systems (e.g., 
environment, supporting and related systems) is more easily 

f 

introduced at these higher • levels-^ Using what we call "basic 
variables," we incorporate each non- object system into the 
hierarchy based on the level at which that information is used 
(see Figure 1). For example,, "weather" does not depend on any 
.^aircraft function and yet it can affect the mission outcome; 
thus., weather may be introduced at the aircraft functional level. 
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Scope 

mT.- 

Top 





1 1 

Air Carrier 


Composite 

i Basic 1 


Level of 
Abstraction 

Missions 


Aircraft 


Intermediate 1 



Composite 


Functional Tasks 


Computer 



Intermediate 2 

T 

I 


Composite 



Computational Tasks 


Computer 


Bottom 



Hardware and Software Functions 


Basic variables: at some level are newly 
introduced at that level. 

Composite ivariables^ at some level are 
supported by variables at the 
next .lower level. 


Figure 1 

General description of a model hierarchy 
for aircraft computing systems 
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The bottom model, along with the higher level basic variables, 
are- referred to collectively as the "base model*' of the total 
system. . Formally, the connection between the behavior of 
the base model and that of the top (mission leveiy^model is 
expressed by a "capability function," the discussion of which 
is deferred to Section 3. 3. 2.2. In general, the interaction 
between various levels of a model hierarchy can be viewed 
either as a part of the hierarchy, per se, or as something 
which is determined later, in the- process of using the model 
to analyze;^'ome aspect of system: behavior e .g , its perform-' 
ability. Either view is legitimate, but the latter appears to 
be more convenient for the purpose of classifying and discussing 
these -interactions . 

3.1.2 Model Descriptions 
3. 1.2.1 Top Level Models 

Extending the effort described in the first Semi-Annual 
Report [1] , we have established the following methodology 
for formulating the top level m.odel. We begin with an informal 
general description (or concept) of system missions. 

These are simple English statements telling us what system 
activities the user deems desirable and pertinent to each 
mission. Thus, for a transport fission, this statement may. 
be "Transport passengers between 'two points quickly, safely, conve- 
niently and with minimum fuel consumption." Note that one 
can always vary or expand upon this statement to address 
other missions; to illustrate, we could talk about long, 
intermediate, or short range missions. O-fcher mission types 
have also been examined, especially a main t r ance mission 
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and a ’’standby" mission (in which a spare plane is stored 
to use as a backup in case a plane in service breaks down) . 

Next, from the mission statement we derive a list of 
the relevant mission factors. This is called the;. "mission 
requirement set." For the air transport mission above, we 
have: 

1) Passengers are to be transported with time constraints 

2) A given safety rate is to be attained 

3) Inconveniences (diversions, arrival delays, etc.) 
are to be minimized 

4) -'-Fuel consumption is to minimized. 

The next step is a temporal decomposition of missions. 
Typically, there exist intervals ("phases") during which a- 
system is concentrating most of its facilities upon one 
activity (or set of activities) and allocating 
fewer resources to other activities [5]- [7]. Furthermore, 
during these intervals, system requirements are generally 
constant, although they may change radically between phases. 

For instance, the computational demand on a computer during 
a cruise portion of a flight may be much less than the 
demand during an autoland portion. An air transport mission, 
for example, can be naturally decomposed into 

i) Takeoff, 

ii) Climb, 

iii) Cruise, 

iv) Descent, 

v) Approach and Landing . 

Once we have described a mission and its desired goals, 
we then classify each mission outcome by de'^ermining various 
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mission "qualities" or "levels of accomplishment." This is 
an indication of the general outcome of each mission based 
on how well t^e.-demands of the mission requirement set are 
fulfilled-. For instance, with the air transport mission, 
several levels of accomplishment could be informally stated as 
follows: 

i) Flight with no diversion and low fuel consumption 

ii) Flight with no diversion and medium to high 
fuel consvunption 

iii] Flight with diversion 

iv) Flight involving a fatal accident. 

To obtain a more formal characterization of these levels 
of accomplishment, with each mission we associate a "mission 
variable set" which is a set of variables such that if the value 
of each variable is known, then so is the level of accomplishment. 
It is also desirable (but not necessary) that each variable 
depend on the nature of the object system in the sense that 
the value assumed by a- given variable will differ for at least 
two different object systems. To illustrate this concept, 
consider the air transport mission whose requirement set is 
given above. Then a sufficient mission variable set might 
be the following: 


a) 

Seating capacity 

[integer. 

in passengers] 

b) 

Flight distance 

' [real, in 

kilometers] 

c) 

Aircraft speed 

[real, in 

kilometers /hour] 

d) 

Fuel consvimption 

[trinary 

valued, iirith 


0 = low consumption rate 

1 = medium consumption rate 

2 = high consumption rate] 
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e) 

Fuel capacity 

[integer, in kilograms] 

£) 

Safety 

[binary valued, with 



.0' = no fatalities 
1 = fatalities] 

g) 

Arrival delay 

[integer, in minutes ]^j 

h) 

Diversion 

[binary valued, with 


0 = no diversion 

1 = diversion]. 


Note that the mission requirement set connotes certain 
necessary values for certain items, while the mission variable 
set places no such bound on any variable. This is because the 
mission requirement set describes what the user wants' the system 
to do while the mission variable set describes what the system 
actually does. 

Given a set of mission variables, to formulate levels of 

emission) accomplishment, we define an "outcome" of a mission to 

be a particular sequence of values of mission variables, one 

value for each variable in the mission variable set. More pre- 

*tll 

cisely, if there are A mission variables, let zri denote the i 

variable and let denote the range of (i.e., the variable 

assumes values in set R.). Then a mission outcome is an element 

1 

of the set R^^xR^x. , . xR^ and a level of (mission) accomplishment 
is a nonempty set of mission outcomes. The interpretation of a 
level of accomplishment is that all outcomes in the level are 

' tf 

relatively indistinguishable froin''Jthe user’s point of view. 
Generally, for a given mission, there will be several levels of 
accomplishment (referred to as the range of accomplishment ) such 
that every possible mission outcome is contained in one and only 
?'one level. 
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To illustrate this notion, i£ mission variables a)' - h) , 
described above, are denoted z^, Z 2 j.*.,Zg, respectively, then 
accomplishment level ii) (Flight with no diversion and medium 
to high fuel consumption) is formally represented by the set: 

A 2 = { (z^, Z 2 _, . . , Zg) £• R^xR^x. . .xRg I e {1,2} and Zg = Q}. 

In addition, one can incorporate the notion of phase into 
the process of delineating levels of accomplishment by allowing 
the requirements to change with time. For instance, in level i) 
above, we might require "fuel consumption” = .0. during- the_ cruise 
phase, and then allow "fuel consumption” = 0 or 1 during all other 
phases. Figure 2 illustrates this point. 

3.1. 2.2 Intermediate Level Models 

The intermediate level models represent successive layers of 
coarseness in bridging the bottom, obj ect system (computer)5?model 
and the top, mission level model. For an aircraft computing system, 
we believe that at least tv/o such intermediate levels are needed 
to facilitate the determination of the relation between 
the bottom and top levels (i.e., the determination of the capability 
function; see Section 3. 3. 2. 2). 

First, below the air carrier level, we have the "aircraft 
functional task” level, characterizing the aircraft and especially 
those aircraft systems affected by the computer ' (e.g. , autoland 
systems, stability augmentation, systems' and navigation systems.; 
see Ratner, et al. [9] for one such list of requirements) . As with 
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z . 

1 



Figure 2 

Levels of accomplishment delineated by some 
' variable i and phase 
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missions, we can define task requirement sets to describe the 
demands of a given task and task variable sets to describe 
system performance relative to those demands. Thus, for example, 
stability augmentation requirements may be stated s.amply as the 
(singleton) set: 

a) Aircraft stability is to be kept within a specified 
tolerance level (where the level may vary according 
to phase) . 

Control theory abounds with variables which could be used to 
describe system performance relative to this requirement (see 
[10] for d^j:ails. \ One example of a stability variable set 
might be; 

a) Steady state error (pitch, roll, yaw) [real, in degrees] 

b) Maximum overshoot (pitch, roll, yaw) [real,, in .degrees] 

c) Rise time (roll, pitch, yaw) [real, in seconds] 

d) Settling time (roll, pitch, yaw) [real, in seconds]. 

Alternatively, a simpler example which might well suffice is the 
singleton variable set: \ 

a) Stability [trinary valued, with 

0 == high degree of stability 

1 = medium degree of stability 

2 = no- stability]. 

The development of variable sets for other functional tasks (e.g., 
autoland, cruise navigation, etc.)|-is carried out in a similar 
fashion. 

Next, between the aircraft functional tasks level and the 
bottom level, we have introduced a ’’computational task” level, 
describing the basic operations the computer is required to 
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perforin in order to accomplish the aircraft functional tasks. 

These computational tasks include such activities as those 
suggested by Ra-tner, et al. [9]. 

a) Vertical guidance 

b) Horizontal guidance 

c) Engine control. 

Here, too, we can define task requirement sets and task variable 
sets. Thus, for task a) above, we may define the following task 
requirement set: 

a) Computations involving vertical guidance are to be 

accomplished within given time and accuracy constraints 

from which we derive the following task variable set: 

a) Program access [binary valued, with 

0 = access to vertical guidance program 

1 = no access] 

b) Instruction rate [integer, in average number of ihstruc- 

tions devoted to vertical guidance 
computations per second] 

c) - Computation size [integer, in average number-of instruc- 

tions used in the performance of a 
single pass of the vertical guidance 
program]. 

We have also been studying the problem of incorporating 

non-computer related information into the model hierarchy in a 

systematic way. One solution which shows promise is to distinguish 

two types of model variables at each level of the model hierarchy. 

More precisely, a model variable at level i is a 

i) basic variable if its values cannot be expressed in 
terms of model variables at level i+1 Ctke next lower 
level) , 

ii) composite variable if it is not basic, i.e., its values 

can be determined by knowing the values of the level i+1 
variables. 
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Thus, the set of basic variables at level i represents the increase 
in scope of the level i model relative to that of the level i+1 
model. (At the lowest level, ‘all variables are basic.) Composite 
variables, on the other hand, lie within the scop^uof the next 
lower model and are determinable as a function of lower level 
model behavior (see Figure 1). 

To illustrate this distinction, consider the "diversion" 
variable (as discussed above) introduced at the top level mission 
model (i=0) . At the next loxirer level this could be expressed 
in terras of: two variables, i) weather and ii) autoland. Thus 
"diversion" is a composite variable at level 0. If "autoland" 
is further divided into the computational tasks required for 
autoiand, then "autoland" is composite at level 1. Without 
further decomposition, "wea'fher" is a basic variable at level 1 
(see Figure 3) . 

3.1.3 ^ Hierarchical Modeling of an. Air Transport Mission 

During the present reporting period, we. have investigated 
several prototype air transport models. In the sections that 
follow, we present a simplified model intended to demonstrate some 
of the major points discussed in the- preceeding sections. We will 
develop the model in a top down manner, applying the general 
method described above. Furthermore, many of the examples in the 
prior discussion, will be incorporated below, though usually in a 
simplified form. 

It should be noted that, within the hierarchy, there are 
several other facets of modeling which we have been investigating 
■rbut which are not reflected in this example. These are discussed 
in Sections 3„.2 and 3.3 and include the bottom model (hardxvare and 
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Top 



Figure 3 

Sample variables o£'-*a"’model hierarchy 
for aircraft computing systems 


or 
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software functions) , "interphase transition functions" (functions 
yielding the system configuration after a change in phase) and 
dependencies (both temporal and structural) . 

3. 1.3.1 Top Level Model Development ^ . 

* 

The mission developed here is a basic air transport 

mission i^hich can be informally described as follows: 

Mission Statement : "Transport passengers between two 

points safely, conveniently and 
with minimal fuel consumption." 

Mission Requirement Set : 

i)r: A given safety rate is to be attained. 

iij' Inconveniences (diversions) are to be minimized. 

iii) Fuel consumption is to be minimized. 

Levels of Accomplishment 

1) Flight with no fa'talities, no diversion and low 
fuel consumption 

2) Flight with no fatalities, no diversion and high 
fuel consumption 

3) Flight with no fatalities, diversion .and low fuel 
consumption 

4) Flight with no fatalities, diversion and high 
fuel consumption 

5) Flight with fatalities. 

Given the mission requirement set we designate the folloitfing 
mission variable set: 

• ' ^ 

z, : Safety [binary valued, ?with 

0 = no fatalities 

1 = fatalities] 

z- : Diversion [binary valued, with 

0 = no diversion 

1 = diversion] 

z,: Fuel Consumption [binary valued, with 

0 = low fuel consumption 

1 = high fuel consumption] 
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and, accordingly [see the general discussion in the previous 
subsection), the five levels of accomplishment are formally 
represented by the sets: 

= {(0',%V0)} 

= {[ 0 , 0 , 1 )} 

A3 = {(0,1,0)} 

A4 - {(0,1,1)} 

A3 = {(1,0,0), (1,0,1), (1,1,0), (1,1,1)}. 

3. 1.3. 2 Intermediate Level Development 

At the aircraft task level, there are a number of functional 
tasks which are needed to support the accomplishment of the 
mission. To simplify the exposition, however, let us suppose 
that there -are only two types of tasks that need to be accomplished 

a) Active Control (stability augmentationAfuel regulation) 

b) Autoland. 

Let us suppose further that the air transport mission has 
three phases:' takeoff, cruise and landing, that active control 
is required in varying degrees throughout the flight and that 
autoland is required if Category III weather conditions exist at 
the time landing is to be initiated. If autoland is required 
but is not available at the time landing is to be initiated (due 
either- to a faulty computer or to a computer which is not 
designed to support the autoland task)., the flight is diverted 
to another airport. 

Given these requirements, we formalize the Intermediate 1 

model as follows. The takeoff, cruise and landing phases are 

denoted as phase 1, phase 2 and phase 3, respectively, and for 

the active control task we designate three task variables: 

\ 

^ 11 ’ ^ 12 ’ ^13 \ 
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where 

e {0,1,2} , j = 1,2,3. 

The interpretation o£ y^^ is the level of accomplishment of the 
» " til 

active con trbh-"’ task during the j phase where: 



'o if there is stability augmentation and 
fuel regulation during the phase 

/ 1 if there is stability augmentation but 

} no fuel regulation during phase 

' * < 'tlx 

2 if there’ is no active control during 

^ phase. 


For the autoland task we designate two task variables J 22 
and where: 

To if the autoland capability is available 
Y 22 ~ /at the end of the cruise phase 

(^1 otherwise 


and 


y 


23 


/ 0 if the autoland function is accomplished 
/ during the landing phase 

\^1 otherwise. 


Finally,' we designate a single basic variable (weather) 


at the Intermediate 1 level which is denoted y ^2 ^nd is inter- 
preted as follows: 

^ 0 if the designated landing site does 
_ I not have Cat III weather at the end of 

^32 S the cruise phase 

^ 1 otherwise . 

To summarize, the Intermediate 1 level variables can be 


described as 


y = 


a single matrix valued variable: 


^11 

^12 . 

^13 

1 

\ 

Composite variables 

© 

^22 

^23 

i 



^32 

(Q 

i 

1 

Basic variable 
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where ^12’ ^13’ ^22’ ^23 ^32 defined above. 

The circled entries are variables whose values are irrelevant 
to this analysis and are assigned a constant value = <{:. The 
probabilistic nature of composi-te variables y^^ , ,y 2 j is 
determined by that of lower level variables; the' probabilistic 
nature of the basic variable y ^2 is determined by the non- 
computer part of the base model (see Section 3^2.2). In 
keeping with the general definition of our model hierarchy , the 
matrix value of y should suffice to determine the values of 

the composite -variables at the top level. Furthermore, since 

0 '- ' ■ - 
there ar'^'no basic variables . at the top' level, we can resolve 

the Z matrix and hence obtain the level of accomplishment. 

The. process . of determining the level of accomplishment' 
which results from a given value of Y is part of the more 
general problem of formulating the capability .function (see 
Section 3.3.2). To illustrate this connection, however, let 
us suppose that the aircraft is such that an aptive control 
level of 0 or 1 is required throughout the flight (see variables 
y\y i^lj2,3) for aircraft survival (i.e., without stability 
augmentation, the plane, crashes). Suppose further that if the 
degree of active control drops from 0 to 1 or 2 any time before 
the landing phase, then fuel consumption is increased to the 
point where it is classified as-l'high." Finally, let us suppose 
that when Cat III weather exists at the intended landing site, 
if autoland capability is available (at the end of the cruise 
phase) the autoland- system is used to attempt an automatic land- 
ing; if not available, the aircraft is diverted to an alternate 
landing site. If autoland is attempted but not accomplished, 
the aircraft crashes . 
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Intermediate 1 


Mission 


tH 

CNI 


<D 

<D 

0) 

(/) 

V) 

(/) 

a 

cd 

cd 




Ph 

Ph 

Ph 

”^11 

^12 

^1 

>^21 

^22 

yz 

^31 

^32 

^3 


Active 

Control 

Auto land 

Weather 


Z= 


iZl 
^2 


Safety 
Diversion 
iFuel Con- 


r 3 

-T* Jsumption 


Level of 
Accomplishment 


0 0 1 
1 1 
0 


oil 
0 0 
^ 1 ^ 


0 0 0 
ill 
i 1 i 


111 
1 1 
i 1 i 


0 2 2 
ill 
i 0 i 


0 00 
i 0 1 
i 1 i 


^1 

(Total success) 




^5 

(Total failure) 


Table 1 


Values of mission variables and level of accomplishment 
as determined by sample values of Intermediate 1 variables 
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Under the above set of conditions, Table 1 gives the 
corresponding mission variable values and, subsequently, the 
level of C™-ission) accomplishment for several representative values 
of the Intermediate 1 model variables (i.e. , the-^^ariable 
Y). An exhaustive' analysis of all 216 possible values of Y 
shows that 10 values yield an accomplishment level equal to , 

30 values yield 4 yield Aj, 12 yield A^ and 160 yield 
Ag. It should be noted, however, that these numbers have no 
direct bearing on the system's per form ability since the 
probabilistic nature of the matrix- valued random variable Y 
has yet to be accounted for. Indeed, many of the values of y 
ane "logically inconsistent" and hence have a zero probability 
of occurrence. For example, -the value 


Y = 


f2 ■ 2 2 

U 0 0 

I (j: 1 ^ 


says that the aircraft crashes during takeoff, due to loss of 
active control, and yet autoland is accomplislted during landing. 


The next intermediate model in the hierarchy CIntermediate 
2) is intended to represent the behavior of the computer per 
se, in terms of the computational tasks it performs through- 
out the utilization interval. The purpose of this model 
is to provide a description ofycomputer behavior that is 
generally applicable to the class of fault-tolerant computers 
envisioned for use in the next generation of commercial aircraft. 

The Intermediate 2 model thus serves as common interface between 
specified, architecture dependent bottom models and the Intermediate 


1 model. 
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During the reporting period, some effort was devoted to 
examining alternative types of representation which might be 
appropriate at' the Intermediate 2 level, in preparation for a 
more detailed development which is just now underway. 

We can, however, illustrate the role of such a model via a 
simplified example which describes how computational tasks 
are accomplished during the utilization interval. More precisely, 
suppose that the utilization interval is divided into five 
computational periods as follows: 



0 1,2 3 . . 4 5 



takeoff cruise landing 


Suppose further that the duration of a computational task is 
taken to be the duration of the period during which the task 
is executed, and that there are four types of computatidri tasks: 

1) Stability computations 

2) Fuel regulation computations 

3) Autoland computations 

4) Internal computations (I/O management, on-line 
fault- detection, etc.). 

If we let (i,j) denote, the task which is of type i and 
is to be accomplished during the period, then Intermediate 

2 model can be taken to be a matrix- valued variable 
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where 


^ij ^ for i e {1,2,4} and 1 5, j £ 5 

or for i = 3 and j e {4,5} 

(i.e,, for the non-circled entries} 


and 




for i = 3 and 1 j < 3 

(i.e., for the circled entries). 


The interpretation in the first case is that 

^ _ To if task (i,j) is accomplished 

1 otherwise . 

(E.g., X 22 = 0 means that fuel regulation computations were 
accomplitChed during period 3.) In the second case, <j: is 
assigned to those variables whose values are irrelevant to the 
analysis. 

The variable X can now be employed to determine the 
model Intermediate 1 composite variables. To describe this 
process, define the composite variable submatrix of a 

variable matrix y to be the matrix composed of those rows of 
y which correspond to composite variables. For instance, given 
the Intermediate 1 level y discussed above: 


the y^ would be 


>^11 

^12 

^13 

^21 

^22 

^23 

^31 

^32 

>^33 

^11 

^12 

^13 

>^21 

^22 

^23 


] 


composite variables 
y basic variables 




yc 


We can now make certain assumptions regarding the relations 
between computational tasks and aircraft functional tasks. First, 
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ive assume that all aircraft tasks require the successful accomplish- 
ment of general internal computations as well as the computations 
specific to that aircraft task. Thus autoland, for instance, 
necessitates both autoland computations and internal computations. 

Second, if the computational tasks required to perform an 
aircraft functional task are achieved, we assume that the functional 
task is accomplished. The need for this second assumption is 
due to the, simplicity of this specific example. In general, 
the accomplishment of aircraft functional tasks can also 
depend on. related aircraft systems as represented by 
additional Intermediate 2 model variables. 

Finally, we make some assumptions with regard to how. the 
three periods of the Intermediate 2 cruise phase relate to the single 
period of the Intermediate 1 cruise phase. If the stability, 
fuel regulation, or internal computations fail at any point 
during the cruise phase Ce.g., if (^ 22 ^ ^ 23 ’ ^ 24 ^ ~ (0,0,1)), 
then those computations are unable to support Aheir respective 
functional tasks represented by the Intermediate 1 composite 
variables. For instance, ( 2 C^ 2 » ^ 13 ’ ^ 14 ^ ~ ( 0 , 1 , 0 ) represents a 
stability computation that results in loss of stability augmenta- 
tion during the cruise phase. Autoland computations, on the 
other hand, need to be available only at the end of the^ cruise 
phase. Therefore, we assume that the autoland computations are 
good if = 0 and failed if x^^ = 1 . Thus, (^32 > ^33’ ^34^ “ 

(4, 0) yields an autoland computation condition of 0 for the 

cruise phase. Note that the three periods of the Intermediate 
2 cruise phase allow a closer examination of the computer's- 
activities than would have been possible with only the one Inter- 
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medate 1 period. Indeed, this ability to alter the time scale 
from level to level is an important feature of the hierarchy since 
it permits a Refinement of time as well as structural detail 1 
when descending the hierarchy. 

With these assumptions, the values of the Intermediate 1 

I 

model composite variables are determinable from the computa- 

tional outcomes X. As an example of applying these results, 
consider the following matrix: 

X = 

• ■ \ 

This says that the stability and internal computations were 
successful during the entire mission, the autoland computations 
were successful during the last two periods of the flight, while 
the fuel regulation computations failed during the last three 
periods of the flight. The above value of X yields the 
following value for the composite variables at .the next higher 
level: 

yc " 

Here, y ^2 “ ^13 ^ since the fuel_regulation computations fail-ed 
during the 2^*^ and 3^^*^ phases. All other computations were 

successful; hence y^^ “ ^22 * ^23 ~ 

Table 2 shows some other possible values of X along with the 

corresponding values of y^. These outcomes follow naturally 
from the definitions of X, y^ and the ' assumptions regarding 
the relationship of computational tasks to functional tasks. 
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Active 
control 
723 Autoland 


0 0 0 0 0 

0 0 0 0 
^ (j: 0 0 

0 0 0 0 0 


0 0 0 
^ - 0 ■ -O’ 


0 0 0 0 0 
0 10 0 0 
1 0 

0 0 0 0 0 


0 10 

^ 1 0 


0 0 0 0 1 

1 0 0 0 0 

9 . ^ - (J: 10 

0 0 0 0 0 



0 2 
1 0 


0 '0 0 00 

1110 1 
^ (^^01 
0 0 0 0 0 


111 
<f: 0 1 


0 0 111 

0 1111 

t i i- 1 1 

0 0 111 


0 2 2 

^ 1 1 


Table 2 

Values of Intermediate 1 con^josite variables as deteimined by 
sample values of Intermediate 2 model variables 
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'• 2 Computer Models 

The objective o£ this effort is to delineate an 
appropriate -x^ass of stochastic models that can serve as bottom 
level models in the hierarchy. The scope of a model in. this 
class is some specified aircraft computer and the level of 
abstraction is the "operational state" of the computer’s 
hardware and software. Accordingly, this class of models must 
be general enough to cover a variety of computer architectures 
of the type being considered for use in advanced commercial 
aircraft. At the same time, this class must be specific 
enough to permit the study of how a bottom level model relates 
to higher level models in the hierarchy. 

This effort was initiated during the previous reporting 
period and, during the current period, we have contimie^d our 
examination of Markov models that have recently been employed 
as computer models for the reliability analysis of fault- tolerant;^.:' 
computing systems (see [ll-]-[l5], for example). We have found 
that such models are compatible with the hierarchy in the sense 
that the state behavior of a model can be used to determine 
whether the system is able to accomplish a higher level task or 
mission. However, we have also found that in order to formulate 
these higher tasks and missions in terms of the system's 
operation and environment-,- the mo^e'l should incorporate a concept 
of state that is capable of representing more than just the 
operational status of various components. As a consequence, 
the resulting Markov model may require an .enormous state space, 
even for a moderately complex computing system. 

In order to keep the size of the state space manageable. 
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we have examined possible ways of extending the concept of a 
stationary Markov process, the results of which are summarized in 
the subsections that follow. 

3 . 2 ..1 ^ A Non- Stationary Markov Process 

As an extension of the . traditional Markov models with 
stationary transition probabilities', we have examined a class of 
stochastic models \ifhich can be represented as finite^ state non- 
stationary Markov processes. Since the t'ransition probabilities 
of each model are presumably stationary during each phase, each 
of these mddels can be regarded as a finite sequence of stationary | 
Markov processes, where each process in the sequence has a 
fixed duration. ■ 

The reliability analysis. of phased missions has been studied 
in the past, but most of the previous work (see [6] and [8], for 
example) considers the case where interphase transitions are deter- 
ministic. For systems with non-repairable and statistically 
independent components, a general treatment of ..the problem of 
interphase dependencies was recently provided by Esary and Ziehms 
(see [5] and [7]). In their approach, a mission is represented 
by a set of fault trees, each of which denotes the computational 
requirements of the system during a specific phase. Each mission 
is then transformed into a single synthetic fault tree which -can 
then be evaluated using the usuaXKfault tree techniques. Although 
this approach may have some value from a conceptual point of view, 

i 

it is of little practical use when applied to systems having the 
■ complexity of an aircraft computer. This is due to the fact that 
^i) it assmes that the operational state, model is the same through- 
out the utilization interval (only the structure function can 
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change from phase to phase), ii) the local state sets of the sub-‘ 

systems are two-valued (i.e., operational^ state are described at 
the component le.vel), and iii) the approach relies on a principle 
of "composition^' rather than "decomposition" which increases the 
size of the- equivalent model. As a .consequence of these facts, the 
size of the resulting fault tree is unmanageable, even for systems 
of moderate complexity. \ 

An alternative to this "composition" approach is to 
perform a phase-by-phase analysis which accounts for the probabil- 
istic nature of interphase dependencies. An examination of - 
this alternative was initiated during the reporting period; 
the results obtained to date are discussed in the subsections that 
follow. 

3. 2.1.1 Model Description 

We suppose first that the utilization interval 
T = 5 t £ tj,} is decomposed into k consecutive’ intervals 

?i, T^, where - (t| 1 t < t^} and 

The set of time points {t^j^l m = 0,1,..., k} is fixed for a given 
mission since the mission profile of the aircraft is assumed to 
be kno^fli in advance. Henceforth, each time interval will be 
referred to as the phase of the mission. 

Given a utilization interval T, we suppose further that 
the probabilistic nature of- the coim^ting system to be -evaluated 
is described by a finite-state stochastic process 

Yg = ‘'{YgCt) |t e T} 

where, for a given t, Yg(t) is a random variable (defined on an 
underlying probability space (S2,F,P)) that takes on values in 
the state space Q-. (i.e. . Yg(t):fi ^ Q) . The process is assumed to' be a 
Markov process with transition probability 



-33- 


Pr[YgCt+r) = j lYgCf );t'lt] = Pr[Yg(t+r)!= j|YgCt)], 

The conditional probability above, may, in general depen4 
on both t and r (in addition to j and the value o£ Yg(t)}, How- 
ever, we suppose that the transition probabilities are stationary 
within each phase, i.e., given phase T = [t tjt 1, 

_Pr[YgCt+r3=j ! YgCt) = i] = PrCi,j) 
is independent of t for — ^ — ^m-1 — ~ ^ 

i,j e Q and m " 1,2,. ..,k. 

Consider a simple example. A typical aircraft flight may 

AT' 

consist 0 three phases - take-off, cruise and landing. Assume " 

that the flight control on-board computer consists of four 

functionally independent identical units. Different units may 

or may not compute the same function at the same time depending 

on the amount of computation needed and the safety requirements 

of each phase. As tan illustration, the system may assume a 

TMR configuration with one standby unit for the take-.off. During 

the cruise phase, the system may require only~a duplex -simp lex 

configuration with two standby spare units. “'To meet the high 

computational requirements of landing, the system may require that 

three units operate concurrently (to support different tasks) \ 

with only one spare unit. A conventional reliability analysis\ 

of each of these configurati'ons'typically employs the concept 

of a stationary Markov process t'See [i6]-[18j). 

In the following discussion, we allow each phase to choose 

from a list of possible system configurations depending on 

the outcome of the previous phases. Let > • • • 

be the set of possible configurations associated with the m'*^^ 

phase T (m = l,2,...,k). Then given t t- < t„, the state 

m. HI” ^ ill 
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YgCt) of the system at time t may represent both the operational 

status of various components and any condition that is important 

to consider ip, the perf ormability analysis. For example, a specific 
-pr'- 

state of the model might represent that the system in configura- 
tion has j subsystems failed and the rest of the subsystems 
are fimctioning in a degraded mode. Conceptually, the Markov 
process Yg can be viex^ed as having a single large state space. 

From a practical point of view, however, for each phase we 
need only represent those system states that are possible (i.e., 
have non- zero probability) during that phase. Given such a 
model whose probabilistic structure varies from phase to phase, 
the question that remains is how the results of these per-phase 
analyses can be combined so as to adequately support an analysis 
of the system's perf ormability at the mission level. This 
question is addressed in the subsections that follow. 

3 . 2 . 1 . 2 Dependencies Between Phases 

To illustrate the nature of the problems encountered when 
combining the results of a phase-by~phase analysis, it suffices 
to consider a traditional two-valued mission model wherein a 
mission either is accomplished ("success”), or is not ("failure") . 

In this case "performability" (see Section 3.3) reduces to the 
usual notion of "reliability" (probability of success). However, 
given that the computer is represented by a time-varying model - 
consisting of a sequence of stationary Markov processes (one 
process per phase with each phase having a fixed duration) , the 
reliability analysis is complicated by the fact that interphase 
dependencies must be accounted for. Such dependencies are 
due to the fact that certain parts of the hardware and software 
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stTucture of the computer may be used during more than one phase 
of the mission. 

To illusf'fate the above remarks, consider the following 
hypothetical situation. A system with four identical modules 
M^, M 2 , Mj and is designed for a ti^ro-phase mission. In 
order for the system to perform the required tasks, at least 
two modules must function through phase 1. After phase 1 has 
been completed, the computational requirements change and 
the system is reconfigured as a series connection of two duplex 
stages (see Figure 4) . Thus the second phase of the mission 
is a success if at least one module in each duplex stage remains 
functioning through phase 2. Suppose that each of M 2 , 
and M^ fail permanently with a constant failure rate A. Suppose 
further that the failure characteristics of the modulesS^re 
statistically independent and no repair is possible throughout 
the mission. Then the probabilistic nature of phase 1 and phase 
2 can be represented, -respectively, by finite-state stationary 
Markov processes with transition graphs as illustrated in 
Figure 5 and Figure 6. 

Note that this phase-by-phase Markov representation enables 
us to choose different sets of model variables for’ each phase. 
Thus, in general, the construction of' a particular phase can 
be tailored to both the structure "of the computer and the 
nature of the mission requirements during that phase, thereby 
reducing the' number of model variables at each level in the 
hierarchy. Using the above example, let us now examine some 
of the problems encountered when using such a model to analyze 
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Figure 4 

A two-phased mission 
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NO FAILURE 


ONE FAILURE 


TWO FAILURES 


THREE FAILURES or 
FOUR FAILURES 



Figure 5 


Markov model for a two-out-o£-£our system 
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Figure 6 

Markov model for a double duplex system 
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system performability or (since we have only two levels of 
performance in this case) reliability. 

If we suppose that all modules are functioning at the begin- 
ning of the mission (and hence the beginning of ^hase 1), i'.e., 
Pr[Yg(t^) = = 1, then the reliability of the system during 

phase 1 is given by 

Rel(phase\l) = PrEYgCt^^) e R^|YgCt^) = q^] 


where R^ is the set of "success states" of the phase 1 model, 
i.e., R^ = {q2jq2><l35'* Expanding this equation, we have 

Rel(pha^-l) = Pr [Yg (t^) =q^^ | Yg (t^) =qj^] t Pr[Yg(t^) = q2 I (t^)=q^] 

Pr[YgCti)=q3lYg(t^)=q^] 

-4X(t^-t ) "^^^l“^o\ “2^(tjL-t ) 

=e ■ +'4(l-e )e 

... "2X(t^-t^) 

+ 6(l-e ) e 


-2X(t.-t.) -3X(t-,-t ) 

= 6e ° -8e ° + 3e 


1 "o-^ . 


If we now consider phase 2, its reliability can be similarly 
expressed as 

Rel (phase 2) Pr[Yg(t 2 ) e ^2^^^ 


where R 2 {r^,r 2 ,rg} (the "success states" of the phase 2 model) 

and I is some assumed condition regarding the initial state of 

phase 2. More generally, the initial condition may be distributed 

probabilistically over several mutually exclusive possibilities 

l 2 ,...,Il, in which case 

s 

Rel (phase 2) Pr[Yg(t 2 ) e R 2 1 1^] • Pr [I . 

i=l 

The simplest choice of I is similar to the one made for phase 1, 
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namely Yg(tj^) = i.e., the initial state for phase 2 is the 

most favorable operational state (no failures). If we pursue 
this choice, we have: 

Rel (phase 2) = Pr[Yg(t 2 ) e R 2 lYg(t^) = r^^] 

= Pr[Yg(t2) = r^|Yg(t^) = r^^] 

+ Pr[Yg(t2) = r2|Yg.(t^) = r^] 

+ Pr[Yg(t2) = ^3lYs(tj) = T-^]. 

Computing each of these probabilities and combining the terms, 
we obtaifit' 

-2X(t,-t,) -3X(t --t,) ' -4X(t.-t,) 

Rel(phase-2) = 4e ^ -^-4e ^ +e ^ ^ . 

Finally, given the per-phase reliabilities determined above, 

we might be tempted to express the total system (mission) 

reliability as the product of the phase reliabilities, that is: 

Rel (mission) = Rel (phase 1)* Rel (phase 2). 

Then, assuming the durations of phase 1 and phase 2 are the same, 

i.e., (t^-t^) = (■t 2 "t-j^) = T/2, the mission reilrability is: 

-2XT -2.5XT -3XT -3.5XT -4XT 
Rel(mission) = 24e -56e +50e* -20© '*'3e 

When the above expression is compared with an exact 

expression of the mission reliability (derived in the following 

subsection), i.e., 

-2XT -3;^ -4XT 
Rel (mission) = 4e -4e +e , 

we see that the above derivation -is inaccurate and provides 

an overly optimistic view of the system’s reliability. A closer 

examination of the derivation reveals that the cause of this 

discrepancy is twofold: i) the assumption regarding the 

initial state of phase 2 is incorrect and the events 
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"phase 1 success” and "phase 2 success" are statistically 
dependent and hence the product of their probabilities is not 
equal to the probability of the joint event "mission success." 

To correct for each of these errors, we must account for 
certain.', ways in which successive phases depend on one another. 
Our work in this regard is discussed in the subsection that 
follows. 

3. 2. 1.3 Interphase Transitions 

In general, complexities in the perf ormability analysis 
of phased missions arise because the performance of a module 
depends on its performance during previous phases. These 
dependencies are of a special type, however, since temporal 
dependencies within a phase satisfy the Markov condition. 

Hence, if t is the time of transition between phase m-’-^nd 
phase m+1, it suffices to determine how the initial state of 
phase m+1 (at time t^) depends on the final state of phase m 
(at time • In general, the nature of such dependencies will 
be probabilistic (for reasons which will be explained in a 
moment) and can be represented as follows. 

Let denote the state set of the Markov model represen- 
tation of the m phase (m=l, 2, . . . ,k) and suppose each s.tate 
set is ordered so we. can speak of the'i^^ state of Q^, where 
if Iq'^ 1 = n„ then 1 < i <• n- WitH'each successive pair of 
phases m and m+1 (1 £ m < k) i^re associate an interphase transition 
matrix H(m) , defined to be an n^^^ by matrix 

H(m) = [h^^l 

where 
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h- • = probability that the state of the phase m+1 model is 
^ j (at time t^^^) given that the state of the phase 

m model is i (at time t ) . 

^ m'^ 

Note that H(m) is a stochastic matrix, i.e., 

^m+1 

S^ij " ^ ^ 1,2, , . . 

J=1 

Note also that H(m). reduces to the identity matrix (I'son the 
diagonal; O’s elsewhere) in the case where the phase m and phase 
m+1 models are identical and have the same interpretation. 

The probabilistic nature of these interphase transitions 
is due ta’ the fact that, in general, our- knowledge of the- system 
at the end of phase m, as conveyed by the state of the phase in 
model,- may lack the detail needed to uniquely determine the- 
state of system as it is newly represented by’ the phase m-^l model. 

The information that is lacking may be information about the 
computer, per se, or may be information which lies outside the 
scope of the computer model. 

To illustrate this point, consider the example discussed 
in the previous subsection. In this case vje have two phases 
with. state sets 

and 

Q = ■t^x’^2'^3^^4^ 

respectively. If, at time t^., the system is in state q^ with respect 
to the phase 1 model (i.e., two module failures) then, depending 
on V7hich two modules failed, the state of the system with respect 
to the phase 2 model is either r^ (one module failure in each 
duplex stage) or r^ (two module failures in the same duplex 
stage) . As module failures (in this examp?^) are independent 



and equally likely, a straightforward calculation reveals that 
^33 ~ ^34 ~ 1/3. Transitions from states other than 

happen to be deterministic, and thus we obtain the following 
interphase transition matrix: 


H(l} = 


1. .-O 0 0 

0-100 
0 0 2/3 1/3 

0 0 0 1 


Using such interphase transition matrices , we have started 
to investigate the development of more precise formulations 
of system performability in terms of the per-phase nature' 
of the bottom model. In particular, for two-valued mission 
models wherein "mission success" is defined to be "success of 
•every phase of the mission," we have succeeded in deriving an 
exact expression of mission reliability. 

For each phase of the mission, let P(m) denote the 

"til 

initial- to- final state transition matrix of the m phase , i.e., 

PCm) = [p^j(m)] 


where 


p..(m) = Pr[YsCV - 5|YsCVl)-i]. 

For each phase except the final phase, let G(m) denote the 

*tll 

success state matrix of the m^ phase (1 £ m <'.k) , i.e., 

G(m) = [g^^. (m)] 

^1 if i=j and i £ R 
where g. - (m) = ( 

k 0 otherwise. 


For the final phase (m=k) we define a success state vector 
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where f (k) 




if i ‘0 Ri 


0 otherwise. 

Finally let 1(0) denote the initial state distribution for 
phase 1, that is fS-. ' 

1(0) = IP]^(0),...,Pj^^(0)] 


where 

Pi(0) = Pr[Yg(tj^) = i] , 1 1 i 1 


Then it can be shown that mission reliability (probability of 

mission success) can be formulated as follows: 

M': • : 1 

fel (mission) =' 1(0) TT P (i)G (i)H(i)| P(k)F(k), 

\i=l ■ 


where the product operation is matrix multiplication. 

•• Note that in the special- case of a one phase mission (k=l) i 
the expression reduces to 

Rel(mission) = I (0)P (l)F(l) . 

Here, I(0)P(1) is a vector of final state probabilities. 
Multiplication by F(l) selects those states which are success 
states and sums their probabilities, the result being "probability 
of success" (relative to initial distribution 1(0)). 

To illustrate a less trivial application of the formula, 
consider once again the two-phase example for which we derived 
the interphase transition matri^H(l). In this case 
Rel (mission) = I(0)PGT)G(1)H(1)P(2)F(2) 
where we will suppose that 


1 ( 0 ) =[1 0 0 0 ] 

(i.e., we begin with no failures) and where P(l) and P(2) 
a-re obtained by the usual methods of stationary Markov model 



-45- 


analysis (see [20], for example). The remaining matrices are 


and' 


G(l) = 


H(l) = 


F(2] = 


1 0 0 FI 

0 10 0 

0 0 10 

£ 0 0 Oj, 

1 0 0 - ^ 

0 10 0 

0 0 2/3 1/3 

£ 0 0 ij, 

1 

1 

0 . 


If -vie let = ("t-j^-t^) and durations 

of phases 1 and 2, respectively, and we iteratively compute the 
matrix product, beginning from the left, then for the first 
two terras we have: 

~ I(0)P(1) = ^^11 ^12 ^13 ^14^ 

where 


-4XT, 


ail - e 


^12 = '*® 


3XT. -4XT. 

- 4e 




-2XT, -3XT, -4XT. 

ai 3 = 6e - 12e 6e 

-2XT, -3XT^ -4XT^ 

a^^ = 1 - 6e + 8e - 3e 

The interpretation of a,- is th'e' probability that the final 

state of phase 1 is (given the initial state distribution 

■ 1 ( 0 ] = [1 0 0 0 ]). 


The next partial product is the result of multiplying 
by the success state matrix G(l) which yields: 

^2 ^i^Cl) = [3-21 ^22 ^23 ^24^ 
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where 


^21 

an, 

^22 

^ 12 ’ 

^23 

^ 1 ’ 3 » 

il 

0. 


Thus vector A 2 is the same as for those states of the phase 
1 model that guarantee phase 1 success. The remaining entries 
(those corresponding to phase 1 failure states) are 0. More 
precisely the interpretation of a 2 j|^ is the probability that the 
final state of phase 1 is q. and phase 1 is a success. 

Thej^’third partial product is a result, of multiplying 
by the interphase transition matrix H(l) which yields: 

A^ = A2H(1) = [a^^ a^2 333 

where 

-4XT,, 


-3XT,, -4XT,, 

^32 ~ - 4e 

-2XT,j -3XT,, -4Xf" 

^33 " ■^ - 8e f + 4e 

^34 ^ 

The purpose of this operation is to describe the results of 
the phase 1 analysis in terms of the phase 2 model, where the 
interpretation of entry a^jj^ is -the probability that the 
initial state of phase 2 is r^^ and phase 1 is a success. 

The fourth partial product is the result of multiplying 
Aj by the transition matrix P(2) of phase 2, that is: 

^4 ~ ^42 ^43 ^ 44 ^ 
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where, if T = T^+T 2 then 

■ o - ^-4XT 
41 ® 


. ,^-4XT^ 


a^3 = 46-2^T - ♦ 4e-«T 


*44 = 1 - 4e-2« + 4a-5W . e‘«t 


Thus the interpretation of is the probability that r^ is 
the final state of phase 2 and phase 1 is a success. 

The -product is completed by multiplying by the success '5:. 
state vector F(2) of the final phase, that" is , 

Rel (mission) = A^F(2) 


= E 

icR, 


'4i 


- /1..-2XT . -3XT ^ -4T 

= 4e - 4e + e 

Since the sum is taken over ‘all final states of phase 2 that 
guarantee phase 2 success, the interpretation .‘Of the sum is the 
probability of phase 2 success and phase 1 success, i.e. , the 
probability of mission success (given the initial state distribu- 
tion 1(0) = [1 0 0 0]). 


The above example serves not only to illustrate an exact 
computation of mission reliability but also to give an informal 
justification of why this method- produces the desired result. 

As a check on the computation, we note that this simple example 
could be viewed equivalently as a double duplex system throughout 
its utilization interval and, when so viewed, yields the result 
obtained above. This is not to suggest that multiphase models 
can generally be reduced to single phase models; indeed, vie 
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believe that the above example is quite unusual in this 
regard. 

Although^^the above computational algorithm applies only 
to a restricted set of mission level models, it establishes 
in pur opinion, the feasibility of using non-stationary Markov 
models as base models for performability analysis. It should 
also be noted that the above algorithm need not be restricted 
to base models where the intraphase processes are Markovian, 
as long as the overall sampled process (where a sample is made 
at the end of each phase) is Markovian. Thus, semi-Markov 
processes or approximate Markov processes (see [19]- [23]) 
can also be. used to model the intraphase behavior. Thus 
we intend to pursue this approach for more general types of 
mission models via an analysis of "R- dependencies" assoi^iated 
with various levels of mission accomplishment. Our work in 
the latter regard is discussed in the section that follows. 

3 . 3 Formulation of System Effectiveness 

The central idea that underlying this research project is 
that the evaluation of system reliability and performance should 
not be treated as separate issues but, instead, as a single issue 
which can generally be referred to as "system effectiveness." 
Informally, "system effectiveness" is the extent to which the user 
may expect to benefit from the missions accomplished by the system 
in the use environment. Thus effectiveness measures for aircraft 
computers must quantify the extent to which a commercial air 
carrier may expect to benefit from missions accomplished by an 
aircraft computer (in conjunction with cooperating related systems 
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and supporting systems) . As discussed in the first Semi-Annual 
Status Report fsee [1], Section 3. 3. 4. 2), the formulation of such 
measures can be ,nafurally decomposed into two problems: 
i) Formulating the probabilities of accomplishing 
various types and qualities of missions, and 
ii) Formulating the worth (benefit) associated with 

accomplishing various types and qualities of missions. 

As justified in the previous Status Report, we have chosen 

to focus our attention on the first of these two problems, i.e., the 

problem of formulating measures of system "performability • ” More 

precisely, a performability measure can be regarded as a special type 

of effectiveness measure wherein the worth of a performance is 

equated with the performance itself (as described by the top model) . 

Recalling the WSEIAC definition of effectiveness (see [24M., 

System effectiveness is a measure of the extent to 
which a system may be expected to achieve a set of 
specific mission requirements. It is a function-of 
the system's availability, dependability, and 
capability 

it follows that performability can likewise be decomposed into 
measures of availability, dependability, and capability. In terms 
of our model hierarchy, the first two measures (availability and 
dependability) quantify the behavior of the bottom model. The 
third measure (capability) quantifies the behavior of the top 
model as a function of values .assumed"by "basic" variable.s of the" 
bottom and intermediate models • (see Section 3. 1.2. 2). Thus the 
capability aspect of performability invokes the entire model 
hierarchy and, indeed, is the reason for the hierarchy's existence. 

During the reporting period, we have developed a precise 
notion of capability and have started to investigate its properties 
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in terms of a generalized notion of functional dependency. This 
work is reported in the subsections that follow. 

3.3.1 Structure Functions -and Dependency 

3 . 3 . 1 . 1 Structure Functions 

In structure -based analysis, the system to be evaluted 
(call it S) is regarded as a network of subsystems (components) . 

For each subsystem there is associated a set composed of 
the operational states of S.. These operational states represent 

the various fault conditions of S^. In the .simplest case, 

= {0,1} where a ”0” indicates that is fault- free, and a 
"1” indi'crates that is faulty. The success of the system S 
is then related to the operational states of the subsystems 
by-a binary- valued function 

(j> ; Q^xQ‘2X-. . . 0,1} 

where 

^ 0 if S is a "success" in operational 
4(q^,q2,...qj^) = | State Cq^, 

^1 otherwise.' 

Such a function is called a structure function (see [1} , [25]). 
(Technically, the above definition is the "dual" of the traditional 
definition of a structure function, since we interpret. 0 
(rather than 1) as "success." We find the dual definition to 
be more convenient when it comes time to extend the concept to 
multiple levels of system performance.) 

The limitations of the structure function approach have been 
•discussed elsewhere (see [1), [26]), but two points deserve 
reiteration. First, the fact that structure functions are binary- 
valued disallows adequate handling of modes of degraded perform- 
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ance. Second, structure- based analysis regards the network o£ sub- 
systems as a combinational, or memoryless, network. This point of 
view does not. allow the treatment of interactions between components 

# 5 “'“ 

over time. Given these limitations, a new approach is required. 
3.3.1. 2 Dependency 

Before formally defining the concept of a capability 
function, consider the notion of dependency. In general, there 
are t\^o modes in which one thing can depend on another [27], In the 
first 'mode, knowing that A depends on B and knowing everything 
of interest about B tells everything of interest about A. 

This mode of dependence is exemplified by linear dependence. 

In the second mode, knowledge of B coupled with the knowledge 
that A depends on B tells us something (but not necessarily 
everything] about A. The best example here is the idea, -of 
statistical dependence. This is the mode of dependence which 
will generally occur in the study of complex systems. 

It is important to note that knowledge of certain depen- 

^ - 
dencies between subsystems (of the system) of interest may help 

in several ways. In classicai reliability analysis, for example, 

knowledge that two subsystems fail independently allows them to be 

decoupled and studied separately. ' Probabilistically, if the 

failures of and S 2 are independent, then 

P(S^ fails .and $2 fails) = P(S^j^fails).- P(S 2 fails). 

It is- not the case, however, that all. forms of dependency-'are 
bad. For instance, knowledge of certain dependencies between 
the operational states of a system over time may allow the 
simplification of considering the states of the system only 
at specific times. Given that the appropriate forms of depen- 
dency exist, then, observation of the system can be limited 
without a loss of relevant knowledge. One example of this is 
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when assumptions are made concerning the coherence and pure- : 
death properties of a system. If a system has these properties, 
then kno\irledger,-.that its final state is fault- free tells that 
at all previous times the system was fault-free. Thus the 
assumption of coherence and a pure-death model is actually an 
assumption about the temporal dependencies inherent in a 
particular system. Knowing which dependencies exist may 
help to simplify analysis. In general, functional independence 
and temporal dependence appear to be simplifying factors. 

3. 3. 1.3 Functional Dependence 

In [1], the CARSRA notion of functional dependence 
C(j)-dependence3 was formalized as follows. Given a system S 
with component subsystems S^,...,S^, state set Q=Qj^xQ2X. . .xQ^ 

CQ^ is the state set of S^) , and structure function (j),%'Bt 

=. {q|<j>Cq) = o,q e Q>. 

Then R. is the set of all success states of S relative to the 
<? 

structure function (j). For q c Q, let 5^(q] 'denote the value 
of the i"*^^ coordinate of q, i.e. if q = (q^,. ..,q^) then 
C^Cq) = q^. We define 

' UiCq)|q e R^}. 

D^(i) is the projection of R^ on the i^^ coordinate. We also 
define, for 1 £ j £ n and qj e D^(j) ' 

R^tj,qj) = -fq. e. RjjjUj-fq-) = q^} and 

Informally, R^jj(j>qj) is the subset of R^ comprised of all the 
elements of R^ whose j'th coordinate is equal to q^ . This means 
that D^(i,j,qj) is the result of first selecting all the elements 
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o£ whose coordinate is , and then taking the projection 
o£ this set on the component. 

For example, consider the three stage plus independent 
voter TMR system with binary- valued state sets wli>ich can be 
represented as in Figure 7. 



Figure 7 


Then 



( 0 , 0 , 0 , 0 }^ 
(l,.0,0,0j \ 
(0,1, 0,0) ( 
.(0,0,1,0) j. 


Clearly, D^'(l) = {0,1} and D^jj(4) = {0 } . In addition, 
examples o£ R^(j,q^) are 


r(0, 0,0,0)'^ .. 

R^.(2,0) = (1,0, 0,0) 

^ V(0,0,1,0)J - ^ 


1 ) = {( 0 , 1 , 0 , 0 )} 


so 


D^(l,2,0) = 5^(R^(2,0)) = {0,1}, and 
D^C1,2,1) = {0}. 
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Trhe formal definition of functional dependence is stated as: 
Definition : If and are subsystems of a system with 

structure function ij) then (j)-depends on Sj if, for some 
state e S' 

From this definition we see that in the above example Sj 
(j)- depends on S 2 because 

{0,1} = f D^C1,2,1) = {0}.’ 

Examination quickly shows also that (j>- depends on and that 
S 2 4>"depends on S^. On the other hand, since the state of is 
constant^;. is independent of .S^, S 2 and S^. Calculation of 
the possible sets shows this to be true. In fact, is 
"universally independent" in the sense that no other subsystem 
depends on it [27]. 

Example 

Consider now the triplex system (Figure 8) discussed in [1] 

(see also [12], figure 8). As presented therein, the system is 

regarded as being composed of four subsystems , S 2 J and 

called "stages." Each stage is comprised of 3 "modules" 

(see [12]) and is represented by a finite-state Markov 

process with a transition graph as illustrated in Figure 9. 

Thus, the state set for stage is = {1,2, 3, 4, 5} (i •= 1,2,3',4) 

and the structure function, in this case, is the function 

' “ ^ 

(j>:{l,2,3,4,S}^^^ {.0,1} 


where 


<t>(q) = 


0 if, when the system is in state q, 
the voter can make use of the outputs of at least 
2 fault-free modules in each stage 

1 otherwise. 


.Here q = (2, 1,1,1) has the interpretation that (stage 1) has 
one faulty module, while S 2 , S^, and are§Eault-free. 
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NO FAILURE 


ONE FAILURE 


TWO FAILURES 


STAGE FAILURE 



Figure 9 

Stage Markov model 
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Some examples o£ the evaluation of 4» are 

(j)(2, 1,1,1) = 0, 

4)(3, 1,1,1) = l,but 

(j>(2,2,2,2) = 0 £r 1 depending on which modules are faulty. 

W- 

This means that in this case, the structure function ^ is 
actually a structure relation. Let 

= •fql4>(q) = O’ (and (i>‘{q) ij), q e * - 

The set is composed of all the' unambiguous success states 
of the system S relative to the structure relation <j>. As 
shown in [1] , 



Cl, 1,1,1) , 
C2, 1,1,1) , 
Cl, 2, 1,1) , 
Cl, 1,2,1) , 
C2, 2,1,1) , 


Cl, 1,1,2)') 
C2,l,l,2) 1 
Cl, 2,1, 2) ) 

Cl 1,2,2). 
C2,2,1,2)J, 


It was also shown in [1] that ^-depends on S^, $2 <{)-depends 
on Sj, but is (|)- independent of all three stages S 2 and'S^- 
Knowing that these dependencies are present, are tliere 
simpler ways to view the system so as to mask off the dependencies? 
Doing so would allow us to deal with these interactions on 
a lower (and possible simpler) level. For instance, on a 
lower level we might not need to obtain a whole set of conditional 
probabilities, but could instead obtain only absolute probabilities. 
It is .possible that the absolute -probabilities \rould inherently 
reflect the dependencies, without further system decomposition. 

One example of such an altefna'^ive representation is shown.. 
in Fi-gure 10. Here, S| is composed of stages S^', and S^, x^hile 
corresponds to stage . We can define a new state set Q| 













a function 




for which is the range of a 1-1 corresponden.'ce M, i.e.. 


M:Q^xQ2xQ3 


where, for example ‘ 


,q.i»q2J*i33 

i^Cqi.q2^« 

Cl, 1,1) 

1 

(1,1,2) 

2 

(1,2,1) 

3 . 

(1,2,2) 

4 

(2,1,1) 

5 

(2,1,2) 

6 

(2,2,1) 

7 

(2,2,2) 

8 

(3,1,1) 

• 

9 

» 

• 

(5,5,5) 

125 . 


Note tha#jthis mapping preserves all the information used in 
our original analysis. We can now evaluate the new structure 
relation 

.<!)• :Q{xQ» ^ {0,1} . 

to get 






The relation <J>’ is defined by 


CM(q^,q2,q3) ,Q4) = 4>(q3^,q2>q3 >^ 4 ) 
where q^ e Q^, i = 1,.2,3,4 and Q 2 = Q 4 ' 

Calculation shows that 

D^, (1). = {1,2,3,S,7>, 

D^,(2) = {1,2}, 

D^, (1,2,1) = {1,2,3', 5, 7}, and 
D^, (1,2,2) = {l,2,-3,5,7}. 

From this, is c{) independent of S^. 

A second way to analyze the system is shown in Figure 11 . 

Here, there are two stages as above, S!j| and S'^, but we 
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Figure 


11 
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have not preserved the states of the originally defined stages. 
Instead, S'^ is composed of the three modules denoted Ml, M2, and 
M3, and S'^ and S '2 are regarded in the same fashion as in the 


- 4j - 


original analysis. Hence the state sets of S'£ and Q '2 
of S '2 are 


Q'i = Q'^ = {1, 2,3,4, 5}. 

Since the system is still regarded as TMR, the set of success 
states R^,, are 


„ ^ rci,i) , (1,2^ 

V’ \^(2,l) , C2,2)J. 

Again, S'^ is (j)- independent of S'^j because D^,,(l) = D'^,V(2) = 
D^tiClj2,l) =D^i,(l,2,2) ={1,2}. Hence, this decomposition also 
yields independent stages in which internal dependencies are 
masked. 

Study of <j)- dependency during the past reporting period 

has shown that (|>- dependence has the following properties: 

i) (j)- dependence is symmetric 
ii} In general, <})“ dependence is -not reflexive 
iii} In general, <j)'- dependence is not transitive. 

It is important to note that <f)- dependence suffers from the 

limitations imposed by structure-based analysis. As a result, 

during the past reporting period, and in conjunction with the 

development of a notion of a capability function, we have 

generalized the above notion of 4>‘<iependence into what we 

call " R- dependence . " 

3. 3.1. 4 R- Dependence 

The concept of R-dependence is an extension and generaliza- 
tion of the concepts involved in defining and determining 
({)- dependence . The notion of R-dependence will first be described 
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as a direct generalization of 4>- dependence in terms of projections 
on coordinatized sets, and will then be given in an alternative 

mathematical formulation in terms of partitions of sets. 

Let S be a system with subsystems Here the 

notion of subsystem is extended beyond the components of the objec 
system alone. Thus any part of the total system whose behavior ’ 
Influences the overall performance of the system may be considered 
a subsystem. For instance, weather or maintenance may be regarded 
as subsystems. Subsystems are represented by basic variables. 
Suppose that we sample the states of the subsystems at times 
t^, t 2 , . tj, where t^^ < t^ < ...< tj^ (due to this ordering 
we shall henceforth speak of times l,2,...,k). Let be the set 
of possible operational states of subsystem S^ at time ,t. 
Definition : Given the above conditions, a state traj ectory 

for the system S is an nxk matrix 


qil q^2 ^Ikl 


u = : .V 

^nl %k 

L ^ ^ 

where for l£i£n, l£t£k, q^|^^ e Q^. The (i,t)^^ entry 

I 

of u is interpreted as the state of subsystem at the 

t^^ time sample. The i^^ row of a state trajectory matrix 

■<£ 

corresponds to a state trajectory for subsystem . The t"*^^ 
column gives the state of the to.tal system S (as represented 
by an n- tuple) at time t. 


Let U = {[qj^] e 1 1 i £ n, 1 < t < k} 
be the set of all state trajectories for S, and let R c U. 

The set R is the set relative to which dependency will be defined. 
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R may be selected by any specified criterion. 

In the context of this research, the set R will generally 
be a "Y-induced” subset of U, that is, a set of the form 

'ft/r •* -T 

_ . " 

{u[y(u)=A^, u% U} where is a particular level of accomplishment 

(see Section 3. 1.2.1), y is the capability function (Section 

3. 3. 2. 2), and U, A., and yare all relative to the same model 

hierarchy. The study of R- dependencies within such sets may 

yield system decompositions which ease the calculation of the 

probability of occurrence of the missions represented by 

elements of the set, i.e., the missions yielding a particular 

level of accomplishment. It is these calculations which 

are the object of this study, and which underlie the concept 

of "performability" or "expected performance." Thus, knowledge 

of existing dependencies within a system may aid us in 

calculating the performability of that system. 

At this point, recall the development of functional (<})) 

dependence. If the system S is sampled only once, then U will 

be a set of n x 1 matrices, or, in other words, n- tuples. The 

set R would correspond to R^ where the selection criterion is 

based on success states relative to the structure function 

If R is a set of k x n matrices and u'e R, define 

1 

?it Cu)\= ,qit> i»e., (u) ' yields the (i,t)"^^ element of (u) . 

This is analogous to the projection operation on a vector. 
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Let = {?^^Cu)|u e R} . I£ one thinlcs o£ R as an array o£ 

matrices, then visually the proj.ection corresponds to 

selecting the (i,t^^^ element all along the third coordinate 
(see Figure 12). ^ 


^ 

J ^ 

/ 



Figure 12 


Now de£inie D(i,t) = 5.^.(R) as was done in describing (|) -dependence, 
I£ q e D(j ,v) , . let 

I 

■ R(j,v,q) = {U.e Rjq^^ = q}. 

The. operator R(j,v,q) selects. £rom R all those matrices whose 
element is q. Finally, de£ine:‘ 

D(i,t ; 5.,v,q) = 

i,£ e n}; t,v e {1, ,k>, q £ Q^- 

Denote the £act that is considered at time 't by S^(t). 
De£inition : Let S be a system with subsystems - sampled 

at times 1, ,k. I£ U is the set o£ all state trajectory 


matrices of S and R c U, then we say Sj^ (t) R-depends on 

(v) if, for some q e Q^, 

D(i,t) f D(i,t;A,v,q) . 

' ^ 

Consider the following example. Let 



R = {A,B,C,D}. 


R might be the accomplishment set correspond- 


ORIGINAL PAGE IS 
OF POOR QUALITY 
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ing to an accomplishment A of a 3 stage system sampled at 3 
times. Three different relationships will he examined. 

The list -is.- meant to be illuminating, but not exhaustive, 

i) Consider S^(3) and S^(l). 

DC1,3) ^ {1,2} but DC1,3;1,1,2) = {2} so . 

S^(3) R-depends on S^(l). This dependency is 
a temporal dependency between the states of a single 
subsystem. 

ii) Consider now S^(2) and 82 ( 3 ). 

D{1,2} = {1,2}, 

DC1,2;2,3.,2) = {1}, and 
D(l,2;2,3,l} = {2}. 

Hence 8^(2). R-depends on 82 ( 3 ). In fact, knowing 

that .82(3) -is in state 2 tells that 8^(2) is in 

state 1, and knowing S.,(3) is in state 1 tell^.: that 

8j^{2) is in state 2. Thus this dependence is also 

an example of the first mode of dependence discussed 

above. This is not true in {i) since D(l,3;l,l,l} 

= { 1 , 2 } - so it is not known, given S^(l) is in 

state 1 , which state 8 ^ ( 3 ) is in. 

iii) Consider 22 ( 2 ) and 82 ( 3 ). 

D{2,3) = {1,2}, 

D(2,3;2,2,l) = {1,2} and 
D{2,3;2,2,2) = {1,2}, 

so S 2 C 3 ) does not R-depe'nd on 82 ( 2 ). We say. 

82 ( 5 ) is R- independent of 8 2 (-2)' . 

The above definitions for R-dependency follow the exposition 
given in the functional dependency case. However, R-dependency 
can be characterized directly in terms of certain partitions 
associated with time and state coordinates. 8 uppose we are given 
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S, R and a delimitation of the subsystems and times of interest. 

For instance, with S and R as above, we might wish to investigate 
the relationship between 52(3) and S^f2). If ii, v e R, let 
'it equivalence relation defined by 

u V if ?.^(u) = SitW. 

Hence, if C^^(R) has c different elements, will partition R 
into c different classes. Denote this partition by 
Clearly, there are n*k such partitions of R, one* for each (i,t) 
pair. 

Recall that in the definition of R-dependency, projections 
were repeatedly made on the (i,t)^^ element while holding the 
(j,v)^^ element fixed (at its various values) in order to 
determine the relationship between S-(t) and S • (v) . If restricting 

the set over which a projection on the (i,t)'^^ coordinate 
was taken restricted the possible values of elements in that 

projection, then dependency was said to be present. These 
multiple projections are a way of partitioningj^.the .set R in 
various xirays. Realizing this, we can characterize R-dependence 
as follows: \ 

Theorem: If R/-^^ and R/=jy are partitions of R, then 

Sj^ (t) R-depends on (v) if and only if there exists 
a block B e R/=j^^ and a block B' e such that 

B n B' * <{1., f. 

In other words, if one partitions R on the two different 
coordinates, then no dependencies are present if and only if 
each block in the first partition has a non-trivial intersection 
•with each block in the second partition. 
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As an example, return to R and the matrices A,B,C,D of 
the R-dependence example above. 

Conside:4?'-l 

R/=ll ^ {{A,C,D},{B}} and 
R/=^3 = {{A,D},{B,C}}. 

Then {A,D}0:{B} = 4>, so S^(l) R-depends on 

Similarly R /=22 ~ { {A,D} , {B, C} } and 

R/=3^2 " {{A,D},{B,C}} 

but {A,D} n{B,C} = ^ so 52 ( 3 ) R-depends on S^(2). 

Thirdly, we see 

R/=23 = {{A,D},{B-,C}} 

R/E22 = {{A,B},{C,D}} 

so- 

{A,D} n {A,B} = {A} , 

{A,D> n {C,D} = {D}, 

{B,C} n {A,B} = {B} , and 
{B,c} n {c,D} =■ {C} . 

As this exhausts all the possibilities, we see that S 2 C 3 ) 
is R- independent of $ 2 (2). 

3.3.2 Capability 

3. 3. 2.1 Definition and Role 

As discussed in Section 3.3, we are focusing our attention 
on a "performability” view of system effectiveness \^here a measure 
p£ performability can be decomposed into measures of availability, 
dependability, and capability. In terms of the model hierarchy, 
the availability and dependability measures quantify the 
behavior of the bottom level model. A capability measure quanti 
fies the behavior of the top model as a function of values 
assumed by the "basic" variables of the bottom and intermediate 
models. (Recall that a variable is "basic" if it cannot be 
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expressed as a function of lower level variables.) Thus the 
capability aspect of performability combines all aspects of the 
model hierarchy. 

The capability measures we have studied during the reporting 
period are essentially three-fold extensions of the structure 
functions discussed in Section 3. 3. 1,1. We call these measures 
"capability functions." In the notion of a capability function, 
the concept of a structure function has been extended in the 
following three ways: 

i) _The subsystems (components) of a system may be character- 
■^^zed by multiply valued state s'ets ,• 

ii) The accomplishment settS^ may contain more than two 
elements, and 

iii) The capability function is defined over a set of 
state trajectories. 

These extensions, together with a formal definition of a 
capability function, are described in the following subsection. 

3. 3. 2. 2 The Capability Function 

Viewing a "capability function" as a three- fold extension 
of the notion of a structure function, the first extension 
allows the state sets of the subsystems to have more than two 
elements. This permits characterization of degraded performance 
in the system's subsystems, i.e.?, removes the requirement that 
a subsystem be considered either "all on" or "all off." For 
example, this allows us to more accurately describe the state 
of a component which is constructed on the triple modular redun- 
dancy (TMR) principle. The second extension is to allow capability 
functions to be multivalued. Thus the range of a capability 
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function will generally be taken to be an ''accomplishment set" 
or a set of mission characterizing quantities which serve to 
quantify some aspect of a system’s effectiveness in carrying 
out a prescribed mission. This allows us to go beyond a simple 
"success-failure" characterization of the system’s performance 
of its mission. The third extension is to take the argument of 
a capability function to be a state trajectory rather than single 
state vectors as is the case with structure functions. This 
permits one to investigate the behavior of the system over time. 

A capability function for a system x^hich is sampled only at one 
time, for tvhich each subsystem has only two states, and for 
which the accomplishment set has two elements, reduces directly 
to a structure function. 

Viewed in the context of the model hierarchy, a capability 
function is a formal expression of how the state trajectories 
of the base model (bottom model plus higher level basic variables) 
relate to mission outcomes (and thereby mission accomplishments) 
at the mission level. 

Suppose we have a system S which is decomposed into n 
subsystems (basic variables) S^,...,S^. Let the system be sampled 
at times t^,...,t|^ where t^ < ^ 5 . ^ Section 

3. 3. 1.4 we define a state trajectory for the system S to be the 
n. X k matrix u where u^^ corresponds to the state of subsystem __ 
when sampled at time t^ (1 5 i _< n, 1 _< j < k) . Let be 
an accomplishment set for the set of mission performed by the 
system S. 

Definition : Let U be the set of all state trajectories for 

some system S. Let be an accomplishment set over S. 
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Then a capability function is a function’ y such that 

y: U ^ . 

The relationship between the model hierarchy and capability 
functions will he demonstrated in the following s.ection. In 
general, one will attempt to define a capability function by 
formulating the transformations between levels of the hierarchy, 
and then composing the transformations in order to tie the 
hierarchy together. One area of concentration during the next 
reporting period is concerned with the study of these transforma- 
tions, introduction of basic variables and the subsequent 
capability functions which are derived. 

3.3. 2.3 The Capability Function and the Model Hierarchy 

As was noted in the previous section, the model hierarchy 
provides a framework which supports the capability function y. 

By using the hierarchy of models to move from level to level 
we can reduce the problem of formulating the capability function 
to the problem of formulating the values of composite variables 
at level i in terms of model variables Cboth basic and composite) 
at level i+1. If one thinks of moving up through the hierarchy, 
.the basic step is "jump to the next level and incorporate basic 
variables.” A precise description of this process is one of the 
goals established for the next reporting period. The remainder 
of this section is devoted to examples of this procedure. 

'In Section 3.1.3 a hierarchy was elaborated down to the 
Intermediate 2 level. This hierarchy forms the basis for the 
following discussion. Since this hierarchy does not have a 
bottom model associated with it, we cannot show a capability 
function per se. However, the three levels which have been 
elaborated can be used to show the manner irP^hich a trajectory 
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might be mapped up through such a modeling scheme. Before 
proceeding, the reader may wish to review the development in 
Section 3.1.3. Figure 13 shows the various matrix variables 
discussed, together with an interpretation of their meaning. 

Consider the Intermediate 2 trajectory 

0 0 0 0 r 

0 0 0 0 0 

1 <j: <1: 1 1 

0 0 0 0 _ 0 _ 

where the symbol '({:* denotes an element whose va.lue is of no 
concern. This trajectory describes a mission (at the Intermediate 
2 level) in \>rhich the autoland computations are in a ’failed' 
state before and during landing. However, no other compli- 
cations are encountered. Thus in moving to Intermediate 1, the 
active control and autoland will be represented by 



y 


1 

c 


0 0 0 
ill 


indicating that active control is good but autoland has failed 
sometime during cruise 'and landing. We now incorporate the 
weather variable, which is represented by (i, a, i) to get 

= 


0 0 0 

ill 
i a i 


a e {0,1}, 


This yields tiiro qualitatively different matrices, depending on 
the value of a. Recall that. a = 0~indicates good weather at ■ 
the beginning of landing while a = 1 indicates weather which 
calls for a Category III type landing. 
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Figure 13 

Description of Matrix Variables from Section 3.1.3 



-73 


First consider the matrix 

= 


•at" 


0 0 
^ 1 
0 


0 

1 


In this case, the \^eather was good, there was no diversion, and 
fuel consumption was low ([this comes from active control = (0,0,0)), 
so 

_1 


0 

|- 0 
0 


which -results in an A-, 


\ 


level of accomplishment. Contrarily, the matrix 


rV = 


0 0 0 

i 1 1 

•f: 1 ^ 


indicates a faulty autoland system plus bad weather^ so a 
diversion is required. In this case. 


. 1 ’ = 


0 

1 

0 


indicating the third level of accomplishment A^. Note that the 
mapping from Intermediate 1 to the mission level depends on the 
value of the weather variable at the end of the cruise phase. 

A second example begins with the matrix 

0 0 0 0 0 “ 

1-110 1 
(j: ^ (j; 0 1 

0 0 0 0 0 . 

Both active control computations and internal computations remain 
error-free throughout the mission. The fuel regulation computa- 
tions \-jere accomplished only in the final part of the cruise 
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phase, and autoland computations fail during landing. Thus, 


2 

Yc 


this matri-x maps into the matrix 

' 111 ' 

<{: 0 1 

on the Intermediate 1 level. The active control vtrajectory 
indicates fuel regulation difficulties, while the autoland tra- 
jectory indicates a failure after the landing phase has begun. 
As above, we incorporate the weather variable to get 

'l 1 l' 


y 


^ 0 1 

if a ^ 


For a = O', the failure of the autoland system does not affect 
the mission quality. In terms of mission variables we see 
that = 0 (no fatalities) , Z 2 = 0 (no diversion is necessary) 
and 2^ = 1 (there is high 'fuel consumption due to 
failure of fuel regulation) .> Hence 


0 
0 
I- 1 


so an 


accomplishment level of is achieved. For a = 1, we see a 
condition where the autoland system fails while landing the 
aircraft. By our assumptions a (fatal) crash ensues. Knowing 
this , 

which indicates the fifth level of accomplishment. 

The above examples show the way in which a capability 
function may pass from level to level. It is clear that a 
capability fimction is a function of both bottom model state 
trajectories and the trajectories of other ^-^.asic variables 


1 

■’--1 



(such as weather) which are inserted at higher levels. One 
thrust of our ongoing research is aimed at developing a more 
concise . repre.sehtation of capability functions, together with 
the investigation of the properties of and relationships between 
R-dependence, capability, .and performability . 
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